How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Description

Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.

39.
39
SQL Injection
Core Idea: Does the page look like it might need to call on stored data?
There exist some SQLi polyglots, i.e;
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
Works in single quote context, works in double quote context, works in “straight into query”
context! (Mathias Karlsson)

40.
40
SQL Injection
You can also leverage the large database of
fuzzlists from Seclists here:

45.
45
Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points
file=
location=
locale=
path=
display=
load=
read=
retrieve=

46.
46
Malicious File Upload ++
This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web
shells or...
● Execute XSS via same types of files. Images as well!
● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
● Bypass security zones and store malware on target site via file polyglots

71.
71
Data Storage
Its common to see mobile apps not applying
encryption to the files that store PII. Common places to find PII unencrypted
Phone system logs (avail to all apps)
webkit cache (cache.db)
plists, dbs, etc
hardcoded in the binary

76.
76
How to test a web app in n minutes
How can you get maximum results within a
given time window?

77.
77
Data Driven Assessment (diminishing return FTW)
1. Visit the search, registration, contact, password reset, and comment
forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner
3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access.
4. Perform user enumeration checks on login, registration, and password
reset.
5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in
automatically
6. Find numeric account identifiers anywhere in URLs and rotate them for
context change
7. Find the security-sensitive function(s) or files and see if vulnerable to
non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection
bypass, and see if they can be done over HTTP.
8. Directory brute for top short list on SecLists
9. Check upload functions for alternate file types that can execute code (xss
or php/etc/etc)
~ 15 minutes

78.
78
Things to take with you…
1. Crowdsourced testing is different enough to pay attention to
2. Crowdsourcing focuses on the 20% because the 80% goes quick
3. Data analysis can yield the most successfully attacked areas
4. A 15 minute web test, done right, could yield a majority of your critical vulns
5. Add polyglots to your toolbelt
6. Use SecLists to power your scanners
7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas

79.
79
Gitbook project: The Bug Hunters Methodology
This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git
project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage)
● 50% of research still unparsed
● More tooling to automate
● XXE and parser attacks
● SSRF
● Captcha bypass
● Detailed logic flaws
● More mobile